The section also includes the current preliminary version of the CCE
List; a CCE
Status section detailing the status of the current version; a description of How
to Participate for organizations and individuals interested in contributing; and the newly revised CCE
Working Group section for those interested in actively participating in this new community initiative.

A white paper entitled Vulnerability Type
Distributions in CVE has been posted on the CVE
Documents page. Written by CVE Editor Steve Christey, this October 2006 technical white paper discusses the high-level types of vulnerabilities that have been publicly reported over the past five years, such as buffer overflows, cross-site scripting (XSS), SQL injection, and PHP file inclusion. The paper identifies and explains trends such as the rapid rise of web application vulnerabilities, covers the distribution of vulnerability types in operating system vendor advisories, and compares the issues being reported in open and closed source advisories.

CVE Mentioned in Article on Software Development Times

CVE was mentioned in a November 15, 2006 article entitled "The
Rise of Cross-Site Scripting" on the Software
Development Times Web site. The article is about a report on trends in the types of CVEs: "[CVE List] data shows that the number of buffer overflow reports is holding steady at between 250 and 450 per year. Web vulnerabilities, on the other hand, have skyrocketed beginning in 2003. (In total, there were three times as many vulnerabilities reported in 2005 as there were in 2001.)"

CVE Mentioned in Article on SearchSecurity.com

CVE was mentioned in a November 9, 2006 article entitled "Software
security flaws begin and end with Web application security" on SearchSecurity.com. The article is about a report on trends in the types of CVEs: "According to a recent report published by the Common Vulnerabilities and Exposures (CVE) project, flaws in Web software are among the most reported security issues so far this year. It's easy to see why. After all, hackers are known to search for an easy target. Poorly configured or written Web applications are not only an easy target, taking the attacker straight to their goal — data, and lots of it — but also can be used to spread malware to anyone else who visits the compromised site."

The CVE Web site now contains 20,074
unique information security issues with publicly known names. Of these, 3,052
have CVE
entry status and 17,022 have candidate status
pending approval by the CVE
Editorial Board. CVE identifiers are used by information security product/service
vendors and researchers as a standard method for identifying
vulnerabilities and for cross-linking with
other repositories that also use CVE identifiers.

In addition, a new version of the CVE List has been released to update the format of the Open
Vulnerability and Assessment Language (OVAL) identifiers (OVAL-IDs) that are included as references for CVE identifiers: CVE
Version: 20061101. The new CVE Version includes updates for existing CVE entries only. No candidates were updated to entry status. Some CVE descriptions may also be modified and some identifiers will have other changes in their references in addition to the OVAL changes. (Review the Version
Difference Report.)

Each CVE Identifier includes the following: the CVE identifier number (i.e., "CVE-1999-0067"); indication of "entry" or "candidate" status; brief description of the security vulnerability; and pertinent references such as vulnerability reports and advisories or OVAL-ID. Previously, OVAL-IDs included an OVAL prefix followed by four digits. OVAL identifiers now use an "oval:Organization DNS Name:ID Type:ID Value" format where organization DNS Name is of the form 'org.mitre.oval'; ID Type denotes the entity to which the ID is being applied (and can be one of the following values: def – Definition, obj – Object, ste – State, tst – Test, or var – Variable); and ID Value is an integer that is unique to the DNS name and ID Type pair that precedes it. For example, after the new version CVE-2006-1316 will include oval:org.mitre.oval:def:918 as one of its references.

Contact cve@mitre.org with any comments or concerns. Visit the CVE
List to review or download all currently available identifiers.

One new information security product is the latest to achieve the final stage of MITRE's formal CVE
Compatibility Process and is now officially "CVE-compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted as part of the organization's product listing on the CVE-Compatible
Products and Services page on the CVE Web site. A total of 66 products to-date have been declared officially compatible.

The following product is now registered as officially "CVE-Compatible":

Use of the official CVE-Compatible logo by this organization will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises. Their compatibility process questionnaire will help end-users compare how different products satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

New CVE Version to Address Modifications of OVAL-ID References in CVE Identifiers

A new version of the CVE List will be released on November 1, 2006 to update the format of the Open
Vulnerability and Assessment Language (OVAL) identifiers (OVAL-IDs) that are included as references for CVE Identifiers. The new CVE Version will include updates for existing CVE entries only. There will not be any new entries. Some CVE descriptions may also be modified and some entries will have other changes in their references in addition to the OVAL changes.

Each CVE Identifier includes the following: the CVE identifier number (i.e., "CVE-1999-0067"); indication of "entry" or "candidate" status; brief description of the security vulnerability; and pertinent references such as vulnerability reports and advisories or OVAL-ID. Previously, OVAL-IDs included an OVAL prefix followed by four digits. OVAL identifiers now use an "oval:Organization DNS Name:ID Type:ID Value" format where organization DNS Name is of the form 'org.mitre.oval'; ID Type denotes the entity to which the ID is being applied (and can be one of the following values: def - Definition, obj - Object, ste - State, tst - Test, or var - Variable); and ID Value is an integer that is unique to the DNS name and ID Type pair that precedes it. For example, after the new version CVE-2006-1316 will include oval:org.mitre.oval:def:1115 as one of its references.

We are making this announcement now in order to give advance notice and to minimize the amount of work required for users and vendors from the change. Please contact cve@mitre.org with any comments or concerns.

CVE Hosts Booth at FIAC 2006

MITRE hosted a CVE/CCE/CWE/OVAL/CME exhibitor booth at Federal
Information Assurance Conference (FIAC) 2006, October 25-26, 2006, at the Inn and Conference Center, University of Maryland University College, in Adelphi, Maryland, USA. The conference exposed CVE, CCE, CWE, OVAL, and CME to network and systems administrators, security practitioners, acquisition and procurement officials, systems security officers, federal managers, accreditors, and certifiers from numerous agencies of the U.S. federal government. In addition, organizations with CVE-Compatible
Products and Services also exhibited.

Visit the CVE Calendar page for information about this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, CCE, CWE, OVAL, CME, and/or other vulnerability management topics at your event.

CVE Presents Briefing at Tactical Information Assurance 2006

CVE Compatibility Lead and CWE Program Manager Robert A. Martin presented a briefing about CVE/CWE/OVAL entitled "Securing The IA Perimeter: Automated IAVA & STIG Compliance Through Standards" at Tactical
Information Assurance 2006 on October 25, 2006 at the Westin Arlington Gateway in Arlington, Virginia, USA. The conference introduced CVE, CWE, and OVAL to information technology and security professionals and decision-makers from the U.S. military, defense agencies, industry contractors, and technology service providers.

Visit the CVE Calendar page for information on this and other upcoming events.

MITRE is scheduled to host a CVE/CCE/CWE/OVAL/CME exhibitor booth at Federal
Information Assurance Conference (FIAC) 2006, October 25-26, 2006, at the Inn and Conference Center, University of Maryland University College, in Adelphi, Maryland, USA. The conference will expose CVE, CCE, CWE, OVAL, and CME to network and systems administrators, security practitioners, acquisition and procurement officials, systems security officers, federal managers, accreditors, and certifiers from numerous agencies of the U.S. federal government. In addition, organizations with CVE-Compatible
Products and Services will also be exhibiting.

Visit the CVE Calendar page for information about this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, CCE, CWE, OVAL, CME, and/or other vulnerability management topics at your event.

CVE to Present Briefing at Tactical Information Assurance 2006

CVE Compatibility Lead and CWE Program Manager Robert A. Martin is scheduled to present a briefing about CVE/CWE/OVAL entitled "Securing The IA Perimeter: Automated IAVA & STIG Compliance Through Standards" at Tactical
Information Assurance 2006 on October 25, 2006 at the Westin Arlington Gateway in Arlington, Virginia, USA. The conference will introduce CVE, CWE, and OVAL to information technology and security professionals and decision-makers from the U.S. military, defense agencies, industry contractors, and technology service providers.

Visit the CVE Calendar page for information on this and other upcoming events.

CVE Included in Article about Vulnerabilities in SC Magazine

CVE was mentioned in an article entitled "XSS
flaws jump to top of CVE rankings, but is the threat overblown?" in the September 22, 2006 issue of SC
Magazine. The article is a report about a study by Jeremiah Grossman, CTO of WhiteHat Security, who used the CVE List to determine that "XSS flaws are now the No. 1 flaw on MITRE's
Common Vulnerabilities and Exposures (CVE) site - a considerable growth from 12 months ago." The article also includes a quote by Grossman, who states: "This is important to realize because XSS is now ranked ... as the most prevalent vulnerability, even more prevalent than buffer overflows."

Common Weakness Enumeration (CWE) Launches Own Web Site

The CWE List is now available on a dedicated Common
Weakness Enumeration (CWE) Web site. It will no longer be available on the CVE Web site. The new site includes the CWE List; an About section describing the overall CWE effort and process in more detail; News page; Calendar page; Compatibility page; Community Participation page; and a list of Sources. CWE is based in part on CVE's 19,000+ identifiers.

CVE Hosts Booth at IT Security World 2006

MITRE hosted a CVE/CCE/CWE/OVAL/CME exhibitor booth at MISTI's IT
Security World 2006 on September 25-27, 2006 at the Fairmont Hotel in San Francisco, California, USA. The conference exposed CVE, CCE, CWE, OVAL, and CME to security professionals from industry, government, and academia charged with developing and running their organizations' information security programs. Organizations with CVE-Compatible
Products and Services also exhibited.

Visit the CVE Calendar page for information on this and other upcoming events.

525 CVE Names with Candidate Status Added to CVE List in September

525 CVE names with candidate status were added to the CVE
List in September 2006. As of September 27, 2006, there were 19,423 CVE
names with entry or candidate status posted on the List with 3,052 posted as official entries and 16,371 as candidates. New candidates are added often. Refer to the Get
CVE page for the most recent breakdown of total names and total candidates, and to review, search, or download the CVE List. Recently released CVE names are listed by the U.S. National Vulnerability Database (NVD). Use CVE
Change Logs, a free tool from CERIAS/Purdue University, to review all additions for September or any month.

We presented a briefing about CVE and CWE at the 5th
Annual Cyber Security Executive Summit for the financial services sector on September 13-14, 2006 at the Metropolitan Pavilion in New York City, New York, USA. The event will introduce CVE and CWE to financial industry executives and security professionals from around the world.

Visit the CVE Calendar page for information on this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, CCE, CWE, OVAL, CME, and/or other vulnerability management topics at your event.

September 8, 2006

NVD's Public Forum Allows Vendors to Comment on the CVE Vulnerabilities Discovered in their Products

The U.S
National Vulnerability Database (NVD), which is built primarily upon CVE identifiers, has announced a new service that provides the software industry with "an open forum to comment upon the set of CVE vulnerabilities discovered in their products. Software vendors have the deepest knowledge about their products and thus are uniquely positioned to comment on their vulnerabilities."

According to Peter Mell, the U.S. National Institute of Standards and Technology's (NIST) NVD Program Manager, the "...set of 'official vendor statements' [that provides the comments] are available as an XML feed from the NVD download page, http://nvd.nist.gov/download.cfm. We encourage other vulnerability databases and services to incorporate these vendor statements alongside their CVE vulnerability descriptions. The statements are also available on the respective NVD vulnerability summary pages (e.g., http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4124).

"Software development organizations can submit official statements by contacting NVD staff (nvd@nist.gov). The capability exists both for organizations to manually submit statements and for organizations to log into NVD to issue and modify statements themselves. We recommend the log in capability for organizations that are affected by more than a few CVE vulnerabilities.

"We would like to thank Red Hat, particularly Mark Cox, for coming up with the idea for this service. They recognized that the software industry needed an open forum in which they could comment on the CVE vulnerabilities in their products. They approached NVD with this idea and we started a pilot program in which Red Hat provided over 100 official statements regarding the CVE vulnerabilities. Each of these statements added valuable details that were not always available from third-party security advisories.

"Organizations can use the service in a variety of ways. For example, they can provide configuration and remediation guidance, clarify vulnerability applicability, provide deeper vulnerability analysis, dispute third party vulnerability information, and explain vulnerability impact.

"It is [NVD's] hope that the software industry will actively participate in this open forum and that the 'official vendor statements' will be propagated throughout the 300+ products and services that use the CVE vulnerability naming standard (http://cve.mitre.org)."

We are scheduled to present a briefing about CVE and CWE at
the 5th
Annual Cyber Security Executive Summit for the financial services sector on September 13-14, 2006 at the Metropolitan Pavilion in New York City, New York, USA. The event will introduce CVE and CWE to financial industry executives and security professionals from around the world.

Visit the CVE Calendar page for information on this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, CCE, CWE, OVAL, CME, and/or other vulnerability management topics at your event.

CVE to Host Booth at IT Security World 2006

We are scheduled to host a CVE/CCE/CWE/OVAL/CME exhibitor booth at MISTI's IT
Security World 2006 on September 25-27, 2006 at the Fairmont Hotel in San Francisco, California, USA. The conference will expose CVE, CCE, CWE, OVAL, and CME to security professionals from industry, government, and academia charged with developing and running their organizations' information security programs.

Visit the CVE Calendar page for information on this and other upcoming events.

Visit the CVE Calendar page for information on this and other upcoming events.

585 CVE Names with Candidate Status Added to CVE List in August

585 CVE names with candidate status were added to the CVE
List in August 2006. As of August 30, 2006, there were 18,898 CVE
names with entry or candidate status posted on the List with 3,052 posted as official entries and 16,733 as candidates. New candidates are added often. Refer to the Get
CVE page for the most recent breakdown of total names and total candidates, and to review, search, or download the CVE List. Recently released CVE names are listed by the U.S. National Vulnerability Database (NVD). Use CVE
Change Logs, a free tool from CERIAS/Purdue University, to review all additions for August or any month.

CCE provides unique identifiers to system configurations in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. As an example, CCE Identifiers could be used to associate checks in configuration assessment tools with statements in configuration best-practice documents such as the Center
for Internet Security (CIS) benchmark
documents.

A very preliminary draft of the CCE List is available now for public review and comment. This preliminary draft is intended as a proof-of-concept and focuses on security-related configuration issues for Windows 2000, Windows XP, and Windows Server 2003. The draft should not be considered final and will be modified over time. In particular, the CCE IDs themselves are not final and will likely change significantly in future versions. Currently, each entry on the list includes the following: CCE Identifier number, description, logical parameters, technical mechanisms, and any references. Refer to the CCE
List page for more information.

The new section includes the CCE
List; a CCE Status section detailing the status of the current version; a description of How
to Participate for organizations and individuals interested in contributing; and a Join
the CCE Working Group section for those interested in actively participating in this new community initiative.

CVE was the main topic of an article entitled "The
411 on CVE" in the July 2006 issue of Healthcare
Informatics Online. In the article the author describes some of the business impacts of CVE when he states: "Cost-effectiveness research done by both end users and vendors has shown CVE-based technology is worth the money." The author discusses comments about CVE by Larry Pesce, manager of information systems security for Care New England, Providence, R.I., who "cannot imagine doing his job without tools that support the industry-standard vulnerability dictionary known as CVE..." Pesce says that "the CVE-compatible automated penetration testing tool he uses (Core Impact from Core Security, Boston) has saved Care New England — which includes three hospitals, community wellness centers in Providence and Warwick, R.I., and a visiting nurses' association — the cost of hiring one to two full-time network administrators." The author further states: "Pesce's cost-savings analysis is backed by another industry veteran. Billy Austin, chief security officer of Saint Corporation, Bethesda, Md., which recently introduced a CVE-compatible integrated vulnerability scanning and penetration testing tool, [who] says his company's research shows users who take advantage of the CVE reference infrastructure save an average of 2.5 hours of staff time over doing Internet searches for any given vulnerability's attack vectors, likely impact of an exploit, and remediation steps."

CVE Mentioned in Article about Vulnerabilities in USA Today

CVE was mentioned in an article entitled "Cybercrooks
constantly find new ways into PCs" in the August 3, 2006 issue of USA
TODAY. The article was a report from at Black
Hat Briefings 2006 on August 2nd - 3rd, at which CVE hosted an exhibitor/meeting booth. CVE is mentioned in the article as follows: "[The CVE List] provides common names for publicly known security holes and is a rough indicator of which applications are attracting hackers' attention." The article also includes a quote by Secure Elements, Inc., security director Scott Carpenter, who states: "The CVE identifier is the most oranges-to-oranges comparison you can make."

CVE Hosts Booth at Black Hat Briefings 2006

MITRE hosted a CVE/CWE/OVAL/CME exhibitor/meeting booth at Black
Hat Briefings 2006 on August 2nd - 3rd, 2006 at Caesars Palace in Las Vegas, Nevada, USA. The event exposed CVE, CWE, OVAL, and CME to a diverse audience of information security-focused attendees from around the world.

Visit the CVE Calendar page for information on this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, CWE, OVAL, CME, and/or other vulnerability management topics at your event.

431 CVE Names with Candidate Status Added to CVE List in July

431 CVE names with candidate status were added to the CVE
List in July 2006. As of August 2, 2006, there were 18,426 CVE
names with entry or candidate status posted on the List with 3,052 posted as official entries and 15,374 as candidates. New candidates are added often. Refer to the Get
CVE page for the most recent breakdown of total names and total candidates, and to review, search, or download the CVE List. Recently released CVE names are listed by the U.S. National Vulnerability Database (NVD). Use CVE
Change Logs, a free tool from CERIAS/Purdue University, to review all additions for July or any month.

The third draft of CWE has been posted on the CWE
List page on the CVE Web site. Changes include (1) additional descriptions and mitigations for about 150 of the items; (2) adding language specific indicators for those that are tied to language or platform like C, C++, Java, or .NET; (3) minor revisions and updates to many other items; and (4) addition of a first cut at a CWE_ID field that is meant be a unique non-variant identifier for the CWE content.

CWE is a community-developed formal list of common software weaknesses. The intention of CWE is to serve as a common language for describing software security weaknesses in architecture, design, or code; as a standard measuring stick for software security tools targeting these weaknesses; and to provide a common baseline standard for weakness identification, mitigation, and prevention efforts. Broad community adoption of CWE will help shape and mature the code security assessment industry and also dramatically accelerate the use and utility of software assurance capabilities for organizations in reviewing the software systems they acquire or develop.

Our next step in building CWE involves gathering data about weaknesses from fourteen tool and knowledge sources and then merging this new data into the current list to create a fourth draft. We welcome any comments about CWE at cwe@mitre.org.

Download Options for CVE List Modified on July 19th

As of July 19, 2006 downloads of the CVE
List will no longer be available with the old-style "CAN" prefix. The CVE naming scheme was modified on October 19, 2005 to replace the "CAN" prefix with a "CVE" prefix in all CVE names. Downloads using only the "CVE" prefix were introduced at that time and will continue to be offered in three options: (1) a single list combining both CVE names with "entry" and "candidate" status, (2) entries only, and (3) candidates only. Each option is available in multiple formats: XML, HTML, Text, and comma separated. The "CAN" prefix downloads were continued for eight months to support the transition from the old format.

CVE information is also available from external resources including CVE
Change Logs, a free tool from CERIAS/Purdue University that records changes to the CVE List, and the U.S.
National Vulnerability Database (NVD), which is based upon CVE identifiers and offers a variety of search and download options.

CVE was the main topic of an article entitled "Functionality
Meets Terminology to Address Network Security Vulnerabilities" in the June 2006 issue of IEEE
Distributed Systems Online. The article describes what CVE is and the problems it solves, discusses the history of CVE, mentions CVE compatibility, and notes that the U.S. National Institute of Standards and Technology's National
Vulnerability Database (NVD) is built wholly upon CVE identifiers. The article includes a quote from NVD project leader and CVE Editorial Board member Peter Mell, who states: "With 300-plus products and services using [CVE identifiers], we definitely need a database of information relative to the CVE standard, and the NVD database provides that. End users need a way to prioritize the constant stream of vulnerabilities that are coming out ... [and by] ... integrating the NVD and CVE, we've made a significant step toward helping people to do that."

The author notes some of the business impacts of CVE via its CVE
Compatibility Program when he states: "CVE-compatible products have shown themselves to be cost-effective. Larry Pesce, manager of information systems security for Care New England, a Rhode Island-based healthcare network, says the use of a CVE-compatible penetration testing tool by vendor Core Security probably saves the organization the cost of one to two full-time employees a year. Billy Austin, chief security officer of Saint, a CVE-compatible vendor, says using such tools saves the typical security administrator 2.5 hours per vulnerability over doing manual searches."

The article also mentions MITRE's follow on standards efforts including Open
Vulnerability and Assessment Language (OVAL), which uses CVE identifiers as the basis for its standardized XML definitions that check for the presence of vulnerabilities on systems; Common
Malware Enumeration (CME), which provides single, common identifiers to virus threats to reduce public confusions during malware outbreaks and to facilitate the adoption of a shared, neutral indexing capability for malware; and Common
Weakness Enumeration (CWE), which is a community-developed formal list of common software weaknesses intended to serve as a common language for describing software security vulnerabilities, a standard measuring stick for software security tools targeting these vulnerabilities, and as a baseline standard for vulnerability identification, mitigation, and prevention efforts. The CWE
dictionary, which is based in part on the numerous identifiers on the CVE
List, is currently hosted on the CVE Web site.

The article concludes with a quote by MITRE's CWE Project Manager, Robert A. Martin, who comments on the purpose behind these other information security standards efforts: "People are so used to selecting the vendor and that's kind of the core they build out from. What we want them to do is get married to enabling standards and then build around that."

MITRE is scheduled to host a CVE/CWE/OVAL/CME exhibitor/meeting booth at Black
Hat Briefings 2006 on August 2nd - 3rd at Caesars Palace in Las Vegas, Nevada, USA. The event will expose CVE, CWE, OVAL, and CME to a diverse audience of information security-focused attendees from around the world.

Visit the CVE Calendar page for information on this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, CWE, OVAL, CME, and/or other vulnerability management topics at your event.

CVE Editorial Board Holds Teleconference

The CVE Editorial Board held a teleconference on Thursday, June 28, 2006, with 10 Board members participating, and 4 representatives from MITRE. Topics included a CVE content activity update; the role of entries, candidates, and voting; updates on the Common Weakness Enumeration (CWE), Common Configuration Enumeration (CCE), and CIEL; future role of the Board; and a discussion of prospective Board members.

Rede Nacional de Ensino e Pesquisa
(RNP) issued a security advisory on December 4, 2003 entitled "Vulnerabilidade
no rsync 2.5.6" that referenced CVE-2003-0962. Numerous other RNP advisories also include CVE identifiers. To-date, 71 organizations from around the world have included CVE identifiers in their security advisories, ensuring that the community benefits by having CVE identifiers as soon as the problem is announced.

Download Options for CVE List will be Modified July 19th

On July 19, 2006 downloads of
the CVE
List will no longer be available with the old-style "CAN" prefix.
The CVE naming scheme was modified on October
19, 2005 to replace the "CAN" prefix with a "CVE" prefix
in all CVE names. Downloads using only the "CVE" prefix were introduced
at that time and will continue to be offered in three options: (1) a single
list combining both CVE names with "entry" and "candidate" status,
(2) entries only, and (3) candidates only. Each option is available in multiple
formats: XML, HTML, Text, and comma separated. The "CAN" prefix
downloads were continued for eight months to support the transition from
the old format.

CVE information is also available from external resources including CVE
Change Logs, a free tool from CERIAS/Purdue University that records changes to the CVE List, and the U.S.
National Vulnerability Database (NVD), which is based upon CVE identifiers and offers a variety of search and download options.

676 CVE identifiers with candidate status were added to the CVE List in June 2006. As of July 5, 2006, there were 17,995 CVE
identifiers with entry or candidate status posted on the List with 3,052 posted as official entries and 15,621 as candidates. New candidates are added often. Refer to the Get
CVE page for the most recent breakdown of total identifiers and total candidates, and to review, search, or download the CVE List. Recently released CVE identifiers are listed by the U.S. National Vulnerability Database (NVD). Use CVE
Change Logs, a free tool from CERIAS/Purdue University, to review all additions for June or any month.

Five information security products and services from four organizations are the latest to achieve the final stage of MITRE's formal CVE
Compatibility Process and are now officially "CVE-compatible." Each product is now eligible to use the CVE-Compatible Product/Service logo, and their completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaires are posted as part of their product listings on the CVE-Compatible
Products and Services page on the CVE Web site. A total of 65 products to-date have been declared officially compatible.

The following products are now registered as officially "CVE-Compatible":

Use of the official CVE-Compatible logo by these organizations will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises. The compatibility process questionnaires will help end-users compare how different products satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information and to review the complete list of all products and services participating in the compatibility program, visit the CVE-Compatible
Products and Services section.

Download Options for CVE List to be Modified on July 10th

Beginning July 10, 2006 downloads of the CVE
List will no longer be available with the old-style "CAN" prefix. The CVE naming scheme was modified on October 19, 2005 to replace the "CAN" prefix with a "CVE" prefix in all CVE names. Downloads using only the "CVE" prefix were introduced at that time and will continue to be offered in three options: (1) a single list combining both CVE names with "entry" and "candidate" status,
(2) entries only, and (3) candidates only. Each option is available in multiple
formats: XML, HTML, Text, and comma separated. The "CAN" prefix downloads were continued for 8 months to support the transition from the old style.

CVE information is also available from external resources including CVE
Change Logs, a free tool from CERIAS/Purdue University that records changes to the CVE List, and the U.S.
National Vulnerability Database (NVD), which is based upon CVE names and offers a variety of search and download options.

AdventNet, Inc. declared that its vulnerability management system SecureCentral, ScanFi, and its patch management system, SecureCentral PatchQuest, are CVE-compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible
Products and Services page.

LANDesk Software Inc. Makes Two Declarations of CVE Compatibility

LANDesk Software Inc. declared that its patch management system, LANDesk Patch Manager, and its active endpoint security management system, LANDesk Security Suite, will be CVE-compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible
Products and Services page.

CWE Main Topic of Briefing Scheduled for June 29th at NIST's Static Analysis Summit

CWE is based in part on the CVE List's 17,000 plus CVE names. More information about CWE is available in the CWE
section on the CVE Web site.

680 CVE Names with Candidate Status Added to CVE List in May

680 CVE names with candidate status were added to the CVE
List in May 2006. As of May 31, 2006, there were 17,209 CVE
names with entry or candidate status posted on the List with 3,052 posted as official entries and 14,960 as candidates. New candidates are added often. Refer to the Get
CVE page for the most recent breakdown of total names and total candidates, and to review, search, or download the CVE List. Recently released CVE names are listed by the U.S. National Vulnerability Database (NVD). Use CVE
Change Logs, a free tool from CERIAS/Purdue University, to review all additions for May or any month.

CVE Names Included in Spring Update of "SANS Top Twenty" List of Internet Security Threats

The 2006
Spring Update to the Twenty Most
Critical Internet Security Vulnerabilities, a SANS/FBI consensus list of the most critical problem areas in Internet security, was released on May 1, 2006 and includes an additional 55 CVE names. The full list now includes 296 CVE names. According to the SANS Web site, this latest update of the Top Twenty "enables cyber security professionals to tune their defensive systems to reflect the most important new vulnerabilities that attackers are exploiting to take over computers and steal sensitive or valuable information." The list includes CVE names with both entry and candidate status to uniquely identify the vulnerabilities it describes. This will help system administrators use CVE-compatible
products and services to help make their networks more secure.

The purpose of the conference itself was to help "government, industry, and academia must collaborate more closely in all aspects of systems and software engineering — designing, building, and managing complex "systems of systems" in support of DOD.

Visit the CVE Calendar page for information on this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, CME, CWE, and/or other vulnerability management topics at your event.

CWE Main Topic of Briefing at DOD System and Software Technology Conference

The presentation examined MITRE's three DHS-sponsored security information exchange initiatives — Common Vulnerabilities and Exposures (CVE), Open Vulnerability and Assessment Language (OVAL), and Common Malware Enumeration (CME) — including the purpose of each effort, its goals, participants, future plans, and how each effort benefits the incident response community.

Visit the CVE Calendar page for information on this and other upcoming events.

603 CVE Names with Candidate Status Added to CVE List in April

603 CVE names with candidate status were added to the CVE
List in April 2006. As of April 26, 2006, there were 16,529 CVE
names with entry or candidate status posted on the List with 3,052 posted as official entries and 14,264 as candidates. New candidates are added often. Refer to the Get
CVE page for the most recent breakdown of total names and total candidates, and to review, search, or download the CVE List. Recently released CVE names are listed by the U.S. National Vulnerability Database (NVD). Use CVE
Change Logs, a free tool from CERIAS/Purdue University, to review all additions for April or any month.

Cenzic, Inc. declared that its application security assessment tool, Cenzic Hailstorm, and its application security assessment service, Cenzic ClickToSecure, will be CVE-compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible
Products and Services page.

Second Draft of Common Weakness Enumeration (CWE) Now Available

The second draft of CWE has been posted on the CWE
List page on the CVE Web site. Changes include (1) cleaning up the names of the current elements, and (2) full expansion of the current elements using additional the content from PLOVER, Seven Pernicious Kingdoms, and CLASP.

CWE is a community-developed formal list of common software weaknesses, idiosyncrasies, faults, and flaws. The intention of CWE is to serve as a common language for describing software security vulnerabilities, a standard measuring stick for software security tools targeting these vulnerabilities, and as a baseline standard for vulnerability identification, mitigation, and prevention efforts. Broad community adoption of CWE will help shape and mature the code security assessment industry and also dramatically accelerate the use and utility of software assurance capabilities for organizations in reviewing the software systems they acquire or develop.

Our next step in building CWE involves gathering data about weaknesses from ten tool and knowledge sources and then merging this new data into the current list to create a third draft. We welcome any comments about CWE at cwe@mitre.org.

The presentation will examine MITRE's three DHS-sponsored security information exchange initiatives: Common Vulnerabilities and Exposures (CVE), Open Vulnerability and Assessment Language (OVAL), and Common Malware Enumeration (CME). The presentation will start with CVE, move to OVAL, the increasingly popular language for specifying system state information, and finish with the newest initiative for malware, CME. The purpose of each effort, its goals, participants, and future plans will be reviewed. How each effort benefits the incident response community will also be reviewed.

Visit the CVE Calendar page for information on this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, CME, and/or other vulnerability management topics at your event.

CVE to Present Briefings at DOD System and
Software Technology Conference on May 4th

The purpose of the conference
itself
is to help "government, industry, and academia must collaborate more closely in all aspects of systems and software engineering — designing, building, and managing complex "systems of systems" in support of DOD.

Visit the CVE Calendar page for information on this and other upcoming events.

518 CVE Names with Candidate Status Added to CVE List in March

518 CVE names with candidate status were added to the CVE
List in March 2006. As of March 29, 2006, there were 15,926 CVE
names with entry or candidate status posted on the List with 3,052 posted as official entries and 13,671 as candidates. New candidates are added often. Refer to the Get
CVE page for the most recent breakdown of total names and total candidates, and to review, search, or download the CVE List. Use CVE
Change Logs, a free tool from CERIAS/Purdue University, to review the additions for March or any month.

MITRE hosted a CVE/OVAL/CME exhibitor booth at MISTI's InfoSecWorld
2006 Conference & Expo on April 3rd - 4th at the Coronado Springs Resort in Orlando, Florida, USA. The conference exposed CVE, OVAL, and CME to a diverse audience of attendees from the banking, finance, real estate, insurance, and health care industries, among others. The conference was targeted to information security policy and decision makers from these and other industries, as well as directors and managers of information security, CIOs, network and systems security administrators, IT auditors, systems planners and analysts, systems administrators, software and application developers, engineers, systems integrators, strategic planners, and other information security professionals. Organizations listed in the CVE-Compatible
Products and Services section also exhibited.

Photos from the event are included below:

Visit the CVE Calendar page for information on this and other upcoming events.

Blue Lane Technologies Inc. has achieved the second phase of the CVE Compatibility Process by submitting a CVE
Compatibility Questionnaire for Blue Lane PatchPoint System. In Phase 2 of the compatibility process the organization's completed compatibility requirements evaluation questionnaire is posted on the CVE Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially CVE-Compatible."

To-date, 60 products or services from around the world have been awarded a CVE-Compatible logo and registered as Officially CVE-Compatible. For additional information and to review the complete list of all products and services participating in the compatibility program, visit the CVE-Compatible
Products and Services section.

CWE is a community-developed formal list of common software weaknesses, idiosyncrasies, faults, and flaws. The intention of CWE is to serve as a common language for describing software security vulnerabilities, a standard measuring stick for software security tools targeting these vulnerabilities, and as a baseline standard for vulnerability identification, mitigation, and prevention efforts. Leveraging the diverse thinking on this topic from academia, the commercial sector, and government, CWE unites the most valuable breadth and depth of content and structure to serve as a unified standard. Our objective is to help shape and mature the code security assessment industry and also dramatically accelerate the use and utility of software assurance capabilities for organizations in reviewing the software systems they acquire or develop.

Based in part on the CVE List's 15,000 plus CVE names—but also including detail and scope from a diverse set of other industry and academic sources and examples including the McGraw/Fortify "Kingdoms" taxonomy; Howard, LeBlanc & Viega's 19
Deadly Sins; and Secure Software's CLASP project; among others—CWE's definitions and descriptions support the finding of common types of software security flaws in code prior to fielding. This means both users and developers now have a mechanism for ensuring that the software products they acquire and develop are free of known types of security flaws by describing their code and assessment capabilities in terms of their coverage of the different CWEs.

MITRE is scheduled to host an CVE/OVAL/CME exhibitor booth at MISTI's InfoSecWorld
2006 Conference & Expo on April 3rd - 4th at the Coronado Springs Resort in Orlando, Florida, USA. The conference will expose CVE, OVAL, and CME to a diverse audience of attendees from the banking, finance, real estate, insurance, and health care industries, among others. The conference is targeted to information security policy and decision makers from these and other industries, as well as directors and managers of information security, CIOs, network and systems security administrators, IT auditors, systems planners and analysts, systems administrators, software and application developers, engineers, systems integrators, strategic planners, and other information security professionals. Please stop by Booth 436 and say hello. In addition, organizations listed in the CVE-Compatible
Products and Services section will also be exhibiting.

Visit the CVE Calendar page for information on this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, CME, and/or other vulnerability management topics at your event.

504 CVE Names with Candidate Status Added to CVE List in February

504 CVE names with candidate status were added to the CVE
List in February 2006. As of February 28, 2006, there were 15,408 CVE
names with entry or candidate status posted on the List with 3,052 posted as official entries and 12,356 as candidates. New candidates are added daily. Refer to the Get
CVE page for the most recent breakdown of total names and total candidates, and to review, search, or download the CVE List. Use CVE
Change Logs, a free tool from CERIAS/Purdue University, to review the additions for February or any month.

Topics covered in the briefing session included standards-based vulnerability and remediation capabilities; Open Vulnerability and Assessment Language (OVAL); standards-compliant test rules to drive assessment and reporting using commercial products; leveraging OVAL-compliant versions of the DISA STIGS or CIS benchmarks with commercial tools; improving reporting of vulnerability and configuration status for FISMA; and leveraging automation and standards to make FISMA reporting economical.

Visit the CVE Calendar page for information on this and other upcoming events.

There is no set publication schedule so check the Editor's Commentary page regularly for new posts. You may also contact cve@mitre.org with any comments or suggestions.

Certificate of CVE Compatibility Awarded to CA

CA was recently presented with an Official Certificate of CVE Compatibility for its eTrust
Vulnerability Manager product. MITRE presented the award at RSA
Conference 2006 on February 14, 2006 in San Jose, California, USA. A total of 60 products to-date are officially CVE-Compatible.

ThreatGuard, Inc. was recently presented with an Official Certificate of CVE Compatibility for its ThreatGuard
Traveler product. MITRE presented the award at RSA
Conference 2006 on February 14, 2006 in San Jose, California, USA. A total of 60 products to-date are officially CVE-Compatible.

To-date, 60 products or services from around the world have been awarded a CVE-Compatible logo and registered as Officially CVE-Compatible. For additional information and to review the complete list of all products and services participating in the compatibility program, visit the CVE-Compatible
Products and Services section.

BigFix, Inc. Makes Declaration of CVE Compatibility

BigFix, Inc. declared that its vulnerability and security configuration management suite, BigFix Enterprise Suite, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible
Products and Services page.

Safend Makes Four Declarations of CVE Compatibility

Safend declared that four of its products will be CVE-compatible: its firewalls, Safend Protector and USB Port Protector, vulnerability assessment service, Safend Auditor, and on-demand vulnerability assessment service, USB Auditor. For additional information about these and other CVE-compatible products, visit the CVE-Compatible
Products and Services page.

Topics that will be covered in the briefing session include standards-based vulnerability and remediation capabilities; Open Vulnerability and Assessment Language (OVAL); standards-compliant test rules to drive assessment and reporting using commercial products; leveraging OVAL-compliant versions of the DISA STIGS or CIS benchmarks with commercial tools; improving reporting of vulnerability and configuration status for FISMA; and leveraging automation and standards to make FISMA reporting economical.

Visit the CVE Calendar page for information on this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, CME, and/or other vulnerability management topics at your event.

CVE Hosts Booth at RSA Conference 2006, February 13-17

MITRE hosted an CVE/OVAL/CME exhibitor booth at RSA
Conference 2006 on February 13-17, 2006 at the McEnery Convention Center, in San Jose, California, USA. The RSA
Conference provides a forum for information security professionals and visionaries to "exchange and collaborate in a dynamic, authoritative setting." The event introduced CVE, OVAL, and CME to security professionals from industry, government, and academia from around the world. Organizations listed in the CVE-Compatible
Products and Services section also exhibited.

Photos from the event are included below:

Visit the CVE Calendar page for information on this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, CME, and/or other vulnerability management topics at your event.

CVE Main Focus of Article on VoIPLoop.com

CVE was the main focus of a February 14, 2006 article on VoIPLoop.com entitled "A
CVE is not a Resume-It's a Threat." The article explains what CVE is and the problems it addresses; states the number of names currently on the CVE
List; mentions the current number of officially CVE-Compatible products and the number of products with declarations to be CVE-compatible; includes a link to the CVE Web site; and discusses CVE-2005-4050 and CVE-2005-3804, which address VoIP vulnerabilities. The author also recommends that readers use CVE-compatible products and that they check the CVE List regularly for new VoIP-specific vulnerabilities.

CVE and OVAL Main Topics of MITRE Digest Article

CVE and OVAL were the main topics of a February 2006 MITRE
Digest article on the MITRE Corporation Web site entitled "Information Assurance Industry Uses CVE and OVAL to Identify Vulnerabilities." The article describes how "as the number of software vulnerabilities continues to increase, MITRE's OVAL and CVE initiatives are becoming standards in the information assurance industry." The article further describes how the growing list of CVE names "ensures enhanced interoperability and security for enterprises" and describes how "OVAL identifies vulnerabilities and configuration issues."

The article concludes with a section on how "MITRE is leveraging the CVE and OVAL Initiatives to help the [U.S.] Department of Defense (DoD) transform its enterprise incident and remediation management efforts" and how "as a result, the DoD will be fundamentally changing the way it deals with vulnerabilities and configuration issues in the commercial and open source components of its infrastructure and mission systems."

Eight information security products and services from seven
organizations are the latest to achieve the final stage of MITRE's formal CVE
Compatibility Process and are now officially "CVE-compatible." Each
product is now eligible to use the CVE-Compatible Product/Service logo, and
their completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaires
are posted as part of their product listings on the CVE-Compatible
Products and Services page on the CVE Web site. A total of 60 products
to-date have been declared officially compatible.

The following products are now registered as officially "CVE-Compatible":

Use of the official CVE-Compatible logo by these organizations will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises. The compatibility process questionnaires will help end-users compare how different products satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

CVE Compatibility certificates were awarded on Tuesday, February 14, 2006 at RSA
Conference 2006 in San Jose, CA, USA, to the organizations that have achieved this final phase. The certificates were presented to all seven organizations, including CA; DragonSoft Security Associates, Inc.; Information Risk Management Plc; NetClarity; NSFOCUS Information Technology Co., Ltd.; ThreatGuard, Inc.; and Venus Information Technology, Inc.

577 CVE names with candidate status were added to the CVE
List in January 2006. As of January 31, 2006, there were 14,904 CVE
names with entry or candidate status posted on the List with 3,052 posted as official entries and 12,608 as candidates. New candidates are added daily. Refer to the Get
CVE page for the most recent breakdown of total names and total candidates, and to review, search, or download the CVE List. Use CVE
Change Logs, a free tool from CERIAS/Purdue University, to review the additions for January or any month.

CVE names are unique, common identifiers for publicly known information security vulnerabilities. Each CVE name includes the following: the CVE identifier number (i.e., "CVE-1999-0067"); indication of "entry" or "candidate" status; brief description of the security vulnerability or exposure; and any pertinent references (i.e., vulnerability reports and advisories or OVAL-ID).

Openware declared that its on demand vulnerability management and assessment service, ATTAKA, will be CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible
Products and Services page.

MITRE is scheduled to host a CVE/OVAL/CME exhibitor booth at RSA
Conference 2006 on February 13-17, 2006 at the McEnery Convention Center, in San Jose, California, USA. RSA Conference provides a forum for information security professionals and visionaries to "exchange and collaborate in a dynamic, authoritative setting." The event will introduce CVE, OVAL, and CME to security professionals from industry, government, and academia from around the world. Organizations with CVE-Compatible
Products and Services will also be exhibiting. Please stop by Booth 1743, or any of these booths, and say hello.

Visit the CVE Calendar page for information on this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, CME, and/or other vulnerability management topics at your event.

CVE Hosts Booth at IA Conference Workshop, January 30 - February 1

MITRE hosted a CVE/OVAL/CME exhibitor booth at the 10th annual U.S.
Department of Defense (DOD) Information Assurance (IA) Conference Workshop on January 30 - February 1, 2006 at the Philadelphia Marriott Downtown, in Philadelphia, Pennsylvania, USA. The purpose of the workshop, which is hosted by the Defense Information Systems Agency (DISA), National Security Agency (NSA), Joint Staff, and the United States Strategic Commands, was to provide a forum in which the IA community can provide updates and work issues on relevant IA topics that have been aligned with the goals of DOD IA strategy. The event introduced CVE, OVAL, and CME to representatives of the DOD and other Federal Government employees and their sponsored contractors. Organizations with CVE-Compatible
Products and Services also exhibited.

Visit the CVE Calendar page for information on this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, CME, and/or other vulnerability management topics at your event.

CVE Announces Initial 'Calendar of Events' for 2006

The CVE Initiative has announced its initial calendar of events
for the first half of 2006. Details regarding MITRE's scheduled participation
at these events are noted on the CVE Calendar page.
Each listing includes the event name with URL, date of the event, location,
and a description of our activity at the event.

Other events will be added throughout the year. Visit the CVE
Calendar for information or contact cve@mitre.org to
have CVE present a briefing or participate in a panel discussion about CVE, OVAL, CME,
and/or other vulnerability management topics at your event.

CVE Presents Briefing at InfraGard Meeting

CVE Compatibility Lead Robert A. Martin presented a briefing about CVE at InfraGard's Boston Member Alliance Quarterly Meeting on January 18, 2006 at MFS in Boston, Massachusetts, USA. InfraGard is a U.S. Federal Burea of Investigation (FBI) program to gain support from the information technology industry and academia for the FBI's investigative efforts concerning various terrorism, intelligence, criminal, and security matters in the cyber arena. See the national InfraGard
Web site for more information about InfraGard and its mission.

Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, CME, and/or other vulnerability management topics at your event.

714 CVE Names with Candidate Status Added to CVE List in December

714 CVE names with candidate status were added to the CVE
List in December 2005. As of December 28, 2005, there were 14,338 CVE
names with entry or candidate status
posted on the List with 3,052 posted as official entries and 12,031 as candidates.
New candidates are added daily. Refer to the Get CVE page
for the most recent breakdown of total names and total candidates, and to
review, search, or download the CVE List. Use CVE
Change Logs, a free tool from CERIAS/Purdue University, to review the
additions for December or any month.

CVE to Host Booth/Participate on Discussion Panel at Homeland
Security for Networked Industries 2006 Conference & Expo in January

MITRE is scheduled to host a CVE/OVAL/CME exhibitor booth at Homeland
Security for Networked Industries (HSNI) 2006 Conference & Expo on January 9-11, 2006 at Walt Disney World Resort, in Orlando, Florida, USA. The conference is "the first of its kind to encourage cross-industry collaboration on network security issues pertinent to America's critical infrastructures [or those] networks which serve as the backbone for daily life for the American public." It is "an opportunity to listen and network with IT decision makers from a variety of networked industries including utilities, telecom and transportation as well as government."

In addition, CVE Compatibility Lead Robert A. Martin will be participating on a Discussion
Panel about CVE on January 11th with Carl Benzhof, CTO of Citadel Security Software; Peter Allor, Director of Operations for Internet Security Systems; Gerhard Eschelbeck, CTO & VP of Engineering at Qualys, Inc.; and Greg Galford, Lead Program Manager at Microsoft Corporation's Security Resource Center.

CVE is also mentioned in a quote by Gary Miliefsky, NetClarity's chief technology officer, who states: "If you are considering deploying VoIP on the same network as your desktop computers and servers, you are at high risk of poor call quality, denial of service, breaches of privacy, integrity and availability. By removing your CVEs, you can quickly mitigate much of this risk. Because these packet-based networks are not very secure by default they are extremely susceptible to attacks such as Man in the Middle (eavesdropping and alerting) and Denial of Service (DoS). Auditor now enables customers to quickly find and remediate CVE that may lead to these types of attacks."

Finally, CVE is highlighted in a list of the new features of the latest release of Auditor: "Integration with the National Vulnerability Database [NVD], which is based on and synchronized with the MITRE CVE naming standard: this comprehensive cyber security vulnerability database enables customers to better understand how vulnerabilities impact their business and how to fix them as well as the latest threats against their [CVE names]."